[SRU] after upgrade to 20.04: dane support is not working
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
postfix (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Lucas Kanashiro |
Bug Description
[Impact]
Users cannot send emails using dane-only policy in Focal.
In this SRU we are proposing a microrelease update from version 3.4.10 to 3.4.13 since the changes are self contained. Moreover, there is a Postfix SRU exception which allows microreleases if the bug is fixed in the current development series:
https:/
And according to the described process there is no need to define a Test Case and a Regression Potential sections. Upstream has been doing a good work regarding those stable version bug fixes.
Here is the upstream changelog change between 3.4.10 and 3.4.13:
20200416
Workaround for broken builds after an incompatible change
in GCC 10. Files: makedefs, Makefile.in.
Workaround for broken DANE support after an incompatible
change in GLIBC 2.31. This avoids the need for new options
in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.
20200419
Bugfix: segfault in the tlsproxy client role when the server
role was disabled. This typically happens on systems that
do not receive mail, after configuring connection reuse for
outbound TLS. Found during program maintenance. File:
tlsproxy/
20200420
Noise suppression: shut up a compiler that special-cases
string literals. Viktor Dukhovni. File milter/milter.c.
20200422
Security: disable DANE support on Alpine Linux because
libc-musl provides no indication whether DNS responses are
authentic. This broke DANE support without a clear explanation.
File: makedefs.
20200505
Noise suppression: shut up a compiler that special-cases
string literals. Viktor Dukhovni. File smtpd/smtpd_
20200509
Bugfix (introduced: Postfix 3.5): maillog_
default value used the minute instead of the month. Reported
by Larry Stone. Files: conf/postfix-
proto/
global/
20200510
Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by
initializing the ICU library before making the chroot()
call. Files: util/midna_
20200511
Noise suppression: avoid "SSL_Shutdown:
init" warnings. File: tls/tls_session.c.
20200515
Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL
client caused a false 'lost connection' error for an SMTP
over TLS session in the same Postfix process. Reported by
Alexander Vasarab, diagnosed by Viktor Dukhovni. File:
tls/tls_bio_ops.c.
Bugfix (introduced: Postfix 2.8): a TLS error for one TLS
session may cause a false 'lost connection' error for a
concurrent TLS session in the same tlsproxy process. File:
tlsproxy/
20200530
Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert"
did not handle a missing optional argument. File:
conf/postfix-
20200610
Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server,
the SNI callback reported an error when it was called a
second time. This happened after the server-side TLS engine
sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP
client. Reported by Ján Máté, fixed by Viktor Dukhovni.
File: tls/tls_misc.c.
This new microrelease fixes the dane issue and the build against GCC 10 which makes us drop a patch applied in version 3.4.7-1 (80_glibc2.
[Original Description]
My postfix configuration uses dane-only policies for some domains.
After upgrading from LTS 18.04 to the current developing LTS 20.04 this stopped working.
Compare the following commands:
Ubuntu 18.04:
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space
posttls-finger: initializing the client-side TLS engine
posttls-finger: using DANE RR: _25._tcp.
posttls-finger: setting up TLS connection to www.bueren.
Ubuntu 20.04:
$ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space
posttls-finger: initializing the client-side TLS engine
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
Sending email to this domains stopped working with the following (obviously wrong) error message in mail.log:
to=<email address hidden>, relay=none, delay=2126, delays=
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: postfix 3.4.10-1
ProcVersionSign
Uname: Linux 5.4.0-18-generic x86_64
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
Date: Wed Mar 25 11:22:11 2020
EtcMailname: mail.kivitendo.de
Hostname: www.kivitendo.de
InstallationDate: Installed on 2016-12-14 (1196 days ago)
InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.3)
PostconfMydomain: kivitendo-erp.de
PostconfMyhostname: www.kivitendo-
PostconfMyorigin: /etc/mailname
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
LANG=de_DE.UTF-8
SHELL=/bin/bash
ResolvConf:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
nameserver 127.0.0.1
search kivitendo-erp.de
SourcePackage: postfix
UpgradeStatus: Upgraded to focal on 2020-03-02 (23 days ago)
Related branches
- Canonical Server: Pending requested
-
Diff: 795 lines (+249/-88)32 files modifiedHISTORY (+81/-0)
Makefile.in (+1/-1)
README_FILES/MAILLOG_README (+1/-1)
RELEASE_NOTES (+8/-0)
conf/postfix-tls-script (+1/-1)
debian/changelog (+19/-0)
debian/patches/series (+0/-1)
debian/postfix.postinst (+1/-1)
dev/null (+0/-51)
html/MAILLOG_README.html (+1/-1)
html/postconf.5.html (+1/-1)
html/postfix.1.html (+1/-1)
makedefs (+14/-1)
man/man1/postfix.1 (+1/-1)
man/man5/postconf.5 (+1/-1)
proto/MAILLOG_README.html (+1/-1)
proto/postconf.proto (+1/-1)
src/dns/dns.h (+4/-0)
src/dns/dns_lookup.c (+5/-2)
src/dns/dns_str_resflags.c (+6/-0)
src/global/mail_params.c (+2/-0)
src/global/mail_params.h (+1/-1)
src/global/mail_version.h (+2/-2)
src/milter/milter.c (+5/-5)
src/postfix/postfix.c (+1/-1)
src/smtpd/smtpd_check.c (+8/-8)
src/tls/tls_bio_ops.c (+7/-0)
src/tls/tls_misc.c (+21/-0)
src/tls/tls_session.c (+1/-1)
src/tlsproxy/tlsproxy.c (+26/-4)
src/util/midna_domain.c (+26/-0)
src/util/midna_domain.h (+1/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 775 lines (+241/-87)31 files modifiedHISTORY (+81/-0)
Makefile.in (+1/-1)
README_FILES/MAILLOG_README (+1/-1)
RELEASE_NOTES (+8/-0)
conf/postfix-tls-script (+1/-1)
debian/changelog (+12/-0)
debian/patches/series (+0/-1)
dev/null (+0/-51)
html/MAILLOG_README.html (+1/-1)
html/postconf.5.html (+1/-1)
html/postfix.1.html (+1/-1)
makedefs (+14/-1)
man/man1/postfix.1 (+1/-1)
man/man5/postconf.5 (+1/-1)
proto/MAILLOG_README.html (+1/-1)
proto/postconf.proto (+1/-1)
src/dns/dns.h (+4/-0)
src/dns/dns_lookup.c (+5/-2)
src/dns/dns_str_resflags.c (+6/-0)
src/global/mail_params.c (+2/-0)
src/global/mail_params.h (+1/-1)
src/global/mail_version.h (+2/-2)
src/milter/milter.c (+5/-5)
src/postfix/postfix.c (+1/-1)
src/smtpd/smtpd_check.c (+8/-8)
src/tls/tls_bio_ops.c (+7/-0)
src/tls/tls_misc.c (+21/-0)
src/tls/tls_session.c (+1/-1)
src/tlsproxy/tlsproxy.c (+26/-4)
src/util/midna_domain.c (+26/-0)
src/util/midna_domain.h (+1/-0)
- Lucas Kanashiro (community): Approve
- Bryce Harrington (community): Needs Fixing
- Canonical Server Core Reviewers: Pending requested
-
Diff: 212 lines (+38/-58)10 files modifiedHISTORY (+9/-0)
Makefile.in (+1/-1)
debian/changelog (+10/-0)
debian/patches/series (+0/-1)
dev/null (+0/-51)
makedefs (+1/-1)
src/dns/dns.h (+4/-0)
src/dns/dns_lookup.c (+5/-2)
src/dns/dns_str_resflags.c (+6/-0)
src/global/mail_version.h (+2/-2)
Changed in postfix (Ubuntu): | |
importance: | Undecided → Medium |
status: | Confirmed → Triaged |
Changed in postfix (Ubuntu Focal): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in postfix (Ubuntu): | |
status: | Triaged → Fix Released |
Changed in postfix (Ubuntu): | |
status: | Fix Released → Triaged |
description: | updated |
summary: |
- after upgrade to 20.04: posttls cannot connect to private/tlsmgr + [SRU] after upgrade to 20.04: posttls cannot connect to private/tlsmgr |
Changed in postfix (Ubuntu Focal): | |
assignee: | nobody → Lucas Kanashiro (lucaskanashiro) |
Changed in postfix (Ubuntu Focal): | |
status: | Triaged → In Progress |
summary: |
- [SRU] after upgrade to 20.04: posttls cannot connect to private/tlsmgr + [SRU] after upgrade to 20.04: dane support is not working |
description: | updated |
description: | updated |
tags: |
added: verification-done verification-done-focal removed: verification-needed verification-needed-focal |
Thanks Jan for this bug report. I can indeed reproduce the issue; using LXD containers the easiest steps are the following:
1. Launch a clean Eoan container
2. `apt install postfix` with "Local only" config, accept all the defaults
3. Run: `posttls-finger -c gmail.com`. The TLS connection succeeds. The result will be a "certificate verification failed [...] untrusted issuer" but this is because a trust anchor was not setup (I think). The tool works as expected
4. Launch a clean Focal container and install postfix in the same way.
5. Again, run: `posttls-finger -c gmail.com`. The output is:
root@paride-f:~# posttls-finger -c gmail.com
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
which is clearly wrong.
The postfix package is a sync from Debian, but unfortunately Debian sid is ahead of it, while Debian Buster is behind it, so I can't immediately test how the same version of the package behaves on Debian. However the problem is *not* present in Debian sid or Buster, nor I could find a Debian bug referencing to it.